Applying The Process Safety Standards

Applying the Process Safety Standards
Steve Burke, CFSE

The Representative Office of exida Asia Pacific Pte. Ltd. in Ho Chi Minh city
Exida Contacts
Singapore
Vietnam
Hong Kong
Australia / NZL
Germany
USA
+65 6222 5160

+84 854 042 580
+852 2633 7727
+64 3 472 7707
+49 89 4900 0547
+1 215 453 1720
Canada
United Kingdom
Netherlands
Switzerland
Mexico
South Africa
Copyright exida Asia Pacific 2014
+1 403 475 1943

+44 2476 456 195
+31 318 414 505
+41 22 364 14 34
+52 55 5611 9858
+27 31 267 1564
What is?
Todays Objective
Introduce Process Safety Concepts and Essential Principles
Standards to help with design a Safety Instrumented System (SIS)

Determine level of safety performance; Safety Integrity Level (SIL)
Safety Requirement Specification (SRS)
Safety Instrumented Function (SIF) Design and Equipment Selection
Verification and Validation of your SIF design
Overview of CyberSeurity
Overview of Alarm Management
Who are exida and what we do
AsiaPacific@exida.com
Why do we need a Process Safety Standard?
Because bad things do happen
Flixborough 1974
Seveso 1976
28 Dead, 36 Injured
Dioxin cloud over local town
Bhopal 1984
Piper Alpha 1988
2,500 Dead, >100,000 Injured
165 Dead, 61 Injured
Still happening.
Firefighters fight flames at the BP plant in Texas City after

the July 28, 2005 explosion. (15 dead & 170 injured)
Primary Cause of Failures?

Installation and
Commission
Design and
Implementation
Specification
Operation and
Maintenance
Changes after
Commission
Source Health, Safety & Environmental Agency
The majority of accidents are:

Preventable if a systematic
Risk-Based Approach is adopted
Findings of the Lord Cullen Report

The operator should be
required ... submit a Safety
Case of each installation.
Regulations should be
performance oriented
(set goals), rather than
prescriptive.
Note: The Lord Cullen report was the detailed study of the Piper
Alpha accident commissioned by the English government.
Which Standard?
Which Standard?
ISA
S84.01
DIN V 19250
DIN VDE 0801
EWICS
NAMUR
HSE
PES
IEC61508
Functional safety of electrical/electronic/programmable
electronic safety-related systems
Which Standard?
IEC 61508
Functional Safety for E/E/PES Safety Related Systems
10
Which Standard?
Device Manufacturers - Sector Specific Not Available
IEC 61508
11
Which Standard?
IEC 61508
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
12
Which Standard?
IEC 61508
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
End Users - Systems Integrators
13
Which Standard?
IEC 61508
IEC 61513
IEC 62061
IEC 61511
ISO 26262
Nuclear
Machinery
Process Industry
Road Vehicles
End Users - Systems Integrators
14
Relationship IEC 61508 IEC 61511

Process Sector Safety Instrumented System Standards
Manufacturers and Suppliers of

Devices
IEC 61508
Safety Instrumented System

designers, Integrators and users
IEC 61511
15
Prescriptive/Functional Standards
Prescriptive Standard
Tells you what to do
Functional or Performance Standard

Tells you what performance level you need to meet
MINERALS MANAGEMENT SERVICE
GULF OF MEXICO OCS REGION
NTL No. 2000-G13
Effective Date: May 25, 2000
NOTICE TO LESSEES AND OPERATORS OF FEDERAL OIL, GAS, AND SULPHUR

LEASES IN THE OUTER CONTINENTAL SHELF, GULF OF MEXICO OCS REGION
Production Safety Systems Requirements
This Notice to Lessees and Operators (NTL) supersedes NTL No. 2000-G09, dated March 29, 2000, on this subject. It
American
Petroleum
Institute (API) Recommended Practice
makes minor technical amendments
and corrects
some cited authorities.
1.
(RP) 14C,
Section A.4
30 CFR 250.802(b). Exclusion of pressure safety high (PSH) and pressure safety low (PSL) sensors on
downstream vessels in a production train
As specified in American Petroleum Institute
you(API)
must
Recommended
install aPractice
PSH sensor
(RP) 14C, Section
to provide
A.4, you must
over-pressure
install
a PSH sensor to provide over-pressure protection for a vessel. If an entire production train operates in the same
protection for a vessel
pressure range, the PSH sensor protecting the initial vessel will detect the highest pressure in the production
train, thereby providing primary over-pressure protection to each subsequent vessel in the production train. The
intent of API RP 14C is not compromised under this scenario. Therefore, you may use API RP 14C Safety Analysis
API RPPSH
14C
Safety
(SAC)
Checklist (SAC) reference A.4.a.3 to exclude all subsequent
sensors
other Analysis
than the PSH Checklist
sensor protecting
the
initial vessel in a production train.
Copyright 2013 exida
16
Prescriptive/Functional Standards
Prescriptive Standard
Tells you what to do
Functional or Performance Standard

Tells you what performance level you need to meet
7.1.1 Requirements (guidance to IEC 61511-1 only)

7.1.1.1 IEC 615111 recognizes that organiza ons will have their own procedures for verica on and does not require it always to
be carried out in the same way. Instead, the intent of this clause is that all verification activities are planned in advance, along
with any procedures, measures and techniques that are to be used.
IEC 61511
7.1.1.2 No further guidance provided.
Functional Safety Safety Instrumented Systems for the Process
7.1.1.3 It is important that the results of verification are available so that it can be
demonstrated
that effective verification has
Industry
Sector
taken place at all phases of the safety lifecycle.
8 Process Hazard and Risk Analysis
8.1 Objectives
IEC
615111
recognizes
that organiza
ons
havelevels
their
The overall objective here is to 7.1.1.1
establish the
need
for safety functions
(e.g., protection
layers) together
withwill
associated
of own
performance (risk reduction) that
are needed to ensure
a safe process. Itand
is normal
in the
process
sector to
multiple
procedures
for verification
does
not
require
ithave
always
tosafety
be carried
layers so that failure of a single layer will not lead to or allow a harmful consequence. Typical safety layers are represented in
out in the same way.
Figure 9 of IEC 61511-1.
8.2 Requirements (guidance to IEC 61511-1 only)
8.2.1
requirements
for
hazard
andThis
risk
analysis
8.2.1 The requirements for hazard and risk analysis
areThe
specified
only in terms of the
results
of the task.
means
that an are
organization may use any technique that it considers
to be effective,
provided
it resultsof
in athe
clear results
descriptionof
of safety
functions
specified
only
in terms
the task.
and associated levels of performance.
17
Performance Targets
Safety Integrity
Level
Probability of failure
on demand (PFD)
per year
Risk Reduction
Factor
(Demand mode of operation)
SIL 4
>=10-5 to <10-4
100000 to 10000
SIL 3
>=10-4 to <10-3
10000 to 1000
SIL 2
>=10-3 to <10-2
1000 to 100
SIL 1
>=10-2 to <10-1
100 to 10
18
The IEC 61511 Safety Lifecycle
19
Management and
Planning
Analysis Phase
Realization Phase
Operate and Maintain
20
Management and
Planning
21
FSM Key Issues

Functional Safety Management
Safety Planning create a FSM Plan
Specify management and technical activities during the Safety

Lifecycle to achieve and maintain Functional Safety
Design Guidelines
Roles and Responsibilities
Must be clearly delineated and communicated
Each phase of SLC and its associated activities
The organizational complexity of

Upstream operations puts added
priority on defined roles and
responsibility and on accountability
Interface Management
Critical in large projects / Disjointed Supply Chains
Defined in Roles and Responsibility
Documented Processes, Documentation Control, Documentation

Functional Safety Verification and Assessment
Personnel Competency
Operations and Maintenance
Management of Change
22
Safety Assessment
Verification and Validation
Verification
Activity of demonstrating for each phase of the safety lifecycle by analysis
and/or tests that, for the specific inputs, the deliverables meet the
objectives and requirements set for the specific phase.
Safety Requirements
Validation
Task Objectives
Verification
Validation
Task
Task Objectives
Verification
Task
Safety System
the activity of demonstrating that the safety instrumented function(s)

and safety instrumented system(s) under consideration after installation
meets in all respects the safety requirements specification.
Minimum independence for functional safety assessment
Minimum Level of
Independence
Safety Integrity Level

1
Independent Person
HR
HR1
NR
NR
Independent Department
--
--
HR1
NR
Independent Organization
--
--
HR2
HR
NOTE Depending upon the company organization and expertise within the company, the requirement for
independent persons and departments may have to be met by using an external organization. Conversely, companies
that have internal organizations skilled in risk assessment and the application of safety-related systems, which are
independent of and separate (by ways of management and other resources) from those responsible for the main
development, may be able to use their own resources to meet the requirements for an independent organization.
23
Personnel Competency
Persons, departments, or organizations involved in
safety lifecycle activities shall be competent to carry out
the activities for which they are accountable.
-IEC 61511, Part 1, Paragraph 5.2.2.2
Training, experience, and qualifications should all be

addressed and documented
System engineering knowledge

Safety engineering knowledge
Legal and regulatory requirements knowledge
More critical for novel systems or high SIL requirements
24
Management and
Planning
Analysis Phase
25
What is Risk?
Risk is a measure of the likelihood and
consequence of an adverse effect.
1. How often can it happen?
2. What will be the effects if it does?
Financial Risk
Risk Receptors:
Personnel
Environment
Financial
Financial may overwhelm other

Receptors, diluting focus on
Personnel/Environmental
Equipment/Property Damage
Business Interruption
Business Liability
Company Image
Lost Market Share
26
Individual Risk and ALARP
High Risk
No way
UK HSE Tolerability
of Risk framework
Individual risk: frequency an
individual may receive a given
level of harm (usually death) from
the outcome of specified hazards
Intolerable Region
10-3/yr (workers)
If its worth it
10-4/yr (public)
ALARP or Tolerable
Region
10-6/yr
We accept it
Broadly Acceptable
Region
Negligible Risk
27
Tolerable Risk Level

Matrix form with guiding statement:
All extreme risk will be reduced and all moderate risks will be
reduced where practical.
Recordable Lost Time
Injury
Injury
Permanent Many
Injury/Death Deaths
1 per 100
years
Acceptable
Moderate
Extreme
Extreme
1 per 1000
years
Acceptable
Acceptable
Moderate
Extreme
1 per 10,000
years
Acceptable
Acceptable
Moderate
Moderate
1 per 100,000 Acceptable

years
Acceptable
Acceptable
Moderate
Example Only
28
Process Hazard Analysis (PHA)

Identifying hazards
HAZOP (Hazards and Operability Study)

Checklist / What If Analysis
FMEA (Failure Modes and Effects Analysis)
Fault Tree Analysis
Etc.
Causes
Consequences
Safeguards
Recommendations
Column Steam Reboiler

pressure control fails, causing
excessive heat input
Column overpressure and

potential mechanical failure of
the vessel and release of its
contents
1) Pressure relief valve
Install SIS to stop reboiler

steam flow upon high column
pressure
2) Operator intervention on
high pressure alarm
3) Mechanical Design
Low flow through pump

causes pump failure and
subsequent seal failure
Pump seal fails and releases

flammable materials
1) Low output flow pump
Existing safeguards are

adequate
2) Shutdown SIS
29
Reviewing The Process
30
HAZOP ANALYSIS
GW
DEVIATION
CAUSES
CONSEQUENCES
SAFEGUARDS
REF#
RECOMMENDATIONS
No
No Agitation
Agitator motor
drive fails
Non-uniformity leads to
runaway reaction and possible
explosion. Agitator failure is
indicated by high reactor
temperature and high
pressure.
High Temperature and High

Pressure Alarm in DCS.
Shortstop system.
Add SIF to chemically control runaway

reaction.
Add a pressure safety relief valve
If necessary, add a de-pressurization SIF.
Use LOPA to determine required SIL.
More
Higher
Temperature
Temperature
control failure
causes
overheating
during steam
heating
High temperature could

damage reactor seals causing
leak. Indicated by high
temperature.
High Temperature Alarm in

DCS.
Add high-temperature SIF. Use LOPA to

determine required SIL
More
Higher Level
Flow control
failure allows
the reactor to
overfill
Reactor becomes full, possible

reactor damage and release.
Indicated by high level or high
pressure.
High Level Alarm in DCS.
Add high-level SIF. Use LOPA to determine

required SIL
BY
31
HAZOP ANALYSIS 1 (pressure)

Guide Word:
No
Deviation:
No Agitation
Causes:
Agitator motor drive fails
Consequences:
Ref #
Non-uniformity leads to runaway reaction and possible

explosion. Agitator failure is indicated by high reactor
temperature and high pressure.
High Temperature and High Pressure Alarm in DCS.
Shortstop system.
P&ID #s
Recommended
Actions:
Add a pressure safety relief valve If necessary, add a depressurization SIF. Use LOPA to determine required SIL.
By:
CMF
Safeguards:
32
Pressure SIF
33
SIL 1
SIL 2
SIL 3
DETOUR
Safety Standards for Process Industry
SAFETY LIFECYCLE
SIL SELECTION
34

Used THREE ways:
Safety Integrity
Level
1. To establish risk reduction

requirements
SIL 4
2. To set probabilistic limits for

hardware random failure
SIL 3
SIL 2
SIL 1
3. To establish engineering
procedures to prevent
systematic design errors
35
Safety Integrity Level 1st Usage
Safety Integrity
Level
Risk Reduction Factor
SIL 4
100000 to 10000
SIL 3
10000 to 1000
SIL 2
1000 to 100
SIL 1
100 to 10
1. Each safety
instrumented
function has a
requirement to
reduce risk. The
order of
magnitude level of
risk reduction
required is called
a SIL level.
36
Safety Integrity Levels 2nd Usage
Random Failure Probability

Safety Integrity
Level
Probability of failure on
demand
SIL 4
>=10-5 to <10-4
SIL 3
>=10-4 to <10-3
SIL 2
>=10-3 to <10-2
SIL 1
>=10-2 to <10-1
(Demand mode of operation)
2. A Safety Function
meets a SIL level if
a calculated
probability falls
within the
associated band on
one of two different
charts. This view
looks at RANDOM
FAILURES.
37AsiaPacific@exida.com
37
Safety Integrity Level- 3rd Usage
Safety Integrity
Level
SIL 4
SIL 3
SIL 2
SIL 1
3. To establish engineering
procedures to prevent
systematic design errors
The equipment used to implement
any safety instrumented function
must be designed using
procedures intended to prevent
systematic design errors. The rigor
of the required procedure is a
function of SIL level.
38
Multiple layers of protection

Community Emergency Response
Plant Emergency Response
Physical Protection (Dikes)
Physical Protection (Relief Devices)
Alarms, Operator Intervention
Basic Process Control
Process
39
Outcome considerations
1. The only outcome of interest is accident occurs
2. All branches where protection layers are successful end in
termination of analysis
Tolerable
Risk Level
Other
Risk inherent
in the process
Mech
SIS
Alarms
BPCS
Process
Risk
40
LOPA - Event tree modified for layer of protection analysis

Initiating
Event
Protection
Layer 1
Protection
layer 2
Protection
Layer 3
Final
Outcome
PL3 Fails
Accident Occurs
PL2 Fails
PL1 Fails
Init Event
PL3 Success
PL2 Success
PL1 Success
No Impact Stop
No Impact Stop
No Impact Stop
1. Proceed with event tree, but only calculate the probability of accident
2. The Accident is initiating event frequency multiplied by PFD of all
protection layers
41
Example 1 Reactor Explosion LOPA

Draw the Layer of Protection Analysis Diagram for the
following situation
An accident whose consequence is an explosion due to
runaway reactor caused by the agitator motor failure.
The following layers of protection exist
Batch process only runs 5 times per year
The operator responds to alarms and stops the process
Runaway reaction cancelled by addition of Shortstop
The reactor has a pressure relief valve
42
Example 1 Reactor Explosion LOPA
INITIATING EVENT PL #1
PL #2
PL#3
Agitator Motor
Batch not Operator Adding
Fails
running Response Shortstop
PL#4
OUTCOME
Pressure
Explosion
relief valve
Explosion
No Event
43
Example Column Rupture LOPA

Quantify the accident frequency of the prior example
Agitator Motor fails once every 2 years
Failure Frequency is 0.5 /yr
Protection Layer PFD are

Batch Process not running, PFD = 0.29
5 batches/yr * 3weeks/batch * 7days/week * 24hours/day = 2520 operational hours
= 29% of
the year.
Operator response failure, PFD = 0.1

Shortstop failure, PFD = 0.1
Relief valve failure, PFD = 0.07
44
Example 1 Reactor Explosion LOPA Solution
INITIATING EVENT PL #1
PL #2
PL#3
Agitator
Batch in Operator Shortstop
Motor Fails
Operation Response Fails
PL#4
OUTCOME
Pressure
Explosion
Relief Valve
0.07
1.02E-04
0.1
Explosion
0.1
0.29
0.5 /yr
No Event
F = 0.5 /yr * 0.29 * 0.1 * 0.1 * 0.07 = 1.02 x 10-4/yr

Is that any good?
That results in 1 explosion in every 9,804 years
45
Know your tolerable Risk

This is Company specific.
For our example, see table below:
Severity
Definition
Tolerable
Frequency
(events/year)
Extensive
One or more fatalities
10-5
Severe
Multiple medical
treatment case injuries
10-4
Minor
Minor injury or reversible

health effects
10-3
46
Calculate your SIL required

Tolerable
Risk Level
1.0x10-5
Risk of
Explosion in
Reactor due to
Agitator Motor
failing
Expected event
Frequency
1.02x10-4
SIF
Relief Valve
Shortstop
Alarms
Batch Not
in Operation
Process
Risk
47
Calculate your SIL required

We know the event frequency = 1.02x10-4
We know the Corporate tolerable risk level = 1x10-5
To achieve our target SIL:
PFD = Tolerable Risk / Expected Risk
PFD = 1x10-5 / 1.02x10-4 = 0.098
RRF = 1/PFD = 1/0.098 = 10.2
This means SIF should be SIL 1
48
Safety Requirements Specification

Definition
IEC61511: specification that contains all the requirements of the safety
instrumented functions in a safety instrumented system
Tasks
Identify and describe safety instrumented functions

Document Safety Integrity Level
Document SIF action Logic, Cause and Effect Diagram, etc.
Document SIF parameters timing, maintenance/bypass requirements, etc.
The SRS is the critical documentation for System Implementation & Testing
The SRS is the point of reference during the Operations phase
The better the SRS:
The better communication during the project
The more informed the change impact assessment for modifications.
49
SRS Elements
SIS General
Non-Functional
Regulations & Standards
Failure, Start & Restart
Interfaces
Environmental conditions
SIF Specific
Sensor(s)
Logic Solver
Final Element(s)
SIF General
Maintenance Overrides
Manual Shutdown
Operating Modes
Failure Modes
Reset
Diagnostics
Identification
Description/Duty/P&ID
Safe State
Required SIL
Proof Test Interval
Response Time
Architecture Summary
Mode of Operation
Energize or De-energize
Demand or Continuous
Trip Setting & Logic

Spurious Trip Requirements
Start-up Overrides
Special Requirements
50
Logic Description Methods

Plain Text
Strengths Extremely flexible, No special
knowledge reqd
Weaknesses Time-consuming, developing
program code difficult and error prone
Example Only
If one of the following conditions occur.
Example Only
1. Switch BS-01 is deenergized, indicating loss of flame

2. Switch PSL-02 is deenergized, indicating low fuel gas pressure
Then the main fuel gas flow to the heater is stopped by performing
all of the following.
1. closing valves, XV-03A, and XV-03B
2. Opening valve XV-03C.
The respective valves will be opened and closed by deenergizing
the solenoid valve XY-03.
Cause-and-Effect Diagrams
Strengths Low level of effort, clear visual
representation
Weaknesses Rigid format (some
functions can not be represented w/ C-E
diagrams), can oversimplify
Binary Logic Diagrams (ISA 5.2)

Strengths More flexible than C-E diagrams,
direct transposition to a function block
diagram program
Weaknesses Time consuming, knowledge of
standard logic representation required
Example Only
51
Management and
Planning
Analysis Phase
52
Management and
Planning
Analysis Phase
Realization Phase
53

Power
Supply
An SIS is defined as a system

composed of sensors, logic
solvers and final elements
designed for the purpose of:
CPU
Output Input
Module Module
SIS
Equipment Under
Control (EUC)
1. Automatically taking an industrial process to a safe state

when specified conditions are violated;
2. Permit process to move forward in a safe manner when
specified conditions allow (permissive functions)
Power
Supply
CPU Output Input

Module Module
Basic Process
Control System (BPCS)
3. Taking action to mitigate the consequences of an

industrial hazard.
54
Safety Instrumented Function
A SIF is a specific, single set of actions and the

corresponding equipment needed to identify a single
hazard and act to bring the system to a safe state.
SIF
1
2
Different from a SIS, which can encompass

multiple functions and act in multiple ways to
prevent multiple harmful outcomes
Logic
Solver
Sensors
Final elements
55
SIF 1
Sensors
SIF 2
Final elements
3
SIF 3
Logic
Solver
SIF 4
7
SIF 5
An SIS includes
several Safety
Instrumented
Functions (SIF)
56
SIS, SIF and SIL

Safety
Instrumented
System
Safety Instrumented
Function
Safety Instrumented
Function
Safety Instrumented
Function
One SIS may have multiple SIFs

each with a different SIL.
Therefore it is incorrect and ambiguous to define a
SIL for an entire safety instrumented system
57
Safety Instrumented Function (SIF) Implementation
Sensors
Sensing
Element
Signal
Conditioning
Sensing
Sensor
Element
Signal
Conditioning
Sensing
Element
Logic Solver
Final Elements
Signal
Conditioning
Circuit Utilities
i.e. Electrical Power,
Instrument Air etc.
Final Control
Element
Final Control
Element
Interconnections
The actual implementation of any single safety instrumented

function may include multiple sensors, signal conditioning
modules, multiple final elements and dedicated circuit utilities
like electrical power or instrument air.
58
IEC 61511 Protection Against:
RANDOM
Failures
SYSTEMATIC
Failures
Random Failures?
Systematic Failures?
59
Random and Systematic Failures

Random Failures
A failure occurring at a random time, which results
from one or more degradation mechanisms.
Usually a permanent failure due to a system
component loss of functionality typically
hardware related
Systematic Failures
A failure related in a deterministic way to a certain
cause, which can only be eliminated by a
modification of the design or of the manufacturing
process, operational procedures, documentation,
or other relevant factors.
Usually due to a design fault wrong component,
error in software program, etc.
60
IEC 61511 Protect Against:
RANDOM
Failures
SYSTEMATIC
Failures
HOW?
HOW?
61
RANDOM
Failures
SYSTEMATIC
Failures
Probabilistic
Performance Based
Design
HOW?
62
SIF Design
The SIL achieved is the minimum of:
1.
2.
3.
SILPFD:Probability of Failure on Demand Average/per hour (PFDAVG /PFH)

SILAC : Hardware Fault Tolerance
SILCAP:Capability to prevent Systematic Failures (SILCAP)
63
Failure Modes
With a safety system, the concern shouldnt so much be
with how the system operates, but rather how the system
fails. Safety systems can fail in two ways:
Safe failures
initiating
overt
spurious
costly downtime
Dangerous failures
inhibiting
covert
potentially dangerous
must find by testing
DxU=
64
Probability of Failure on Demand

1.
2.
3.

PFDsensor + PFDmux + PFDinput + PFDmp + PFDOutput + PFDrelay + PFDfe + PDFprocess-connection
65
IEC 61508-6 Method

Divide each failure rate into specific failure modes
SAFE DETECTED
SAFE UNDETECTED
60%
DANGEROUS
UNDETECTED
SSDSU
DDDDU
40%
DANGEROUS
DETECTED
66
Conventional PLC Input Circuit
5V ISO.
ac input
Vin
D2
1K
V1
200K
+5V
V2
10K
D1
L2
OC1
10K
67
FMEDA for Conventional PLC Input Circuit

Failure Modes and Effects Analysis
Failures/billion hours
Mode
Effect
R1 - 1K
short
loose filter
1 Safe
0.13
0.125
open
read logic 0
1 Safe
0.5
0.5
1 read input open
short
read logic 0
1 Safe
open
loose filter
1 Safe
0.5
0.5
short
overvoltage
0 Dang.
0.13
0 0.13
open
read logic 0
1 Safe
0.5
0.5
1 read input open
short
read logic 0
1 Safe
0.13
0.125
open
overvoltage
0 Dang.
0.5
short
read logic 0
1 Safe
open
blow out circuit
0 Dang.
short
read logic 1
open
C1- 0.18
R2 - 200K
R3 - 10K
D1
D2
OC1
R4 - 10k
Criticality
FIT
Safe
Safe
Component
Dang. Det.
Diagnostic
Dangerous
Covered Covered
FIT
0
0.5
0.5
0.5
0 Dang.
blow out circuit
0 Dang.
led dim
no light
1 Safe
28
28
tran. short
read logic 1
0 Dang.
19
19
tran. open
read logic 0
1 Safe
short
read logic 0
1 Safe
0.13
0.125
open
read logic 1
0 Dang.
0.5
0.5
71
38.88 32.1
Total Safe
Dang.
Safe Coverage
0.0257
Failure Rates
Dangerous
Coverage
68
Safety Rated PLC Input Circuit
69
FMEDA for Safety Rated Input Circuit

F ailu re M o d es an d E f f e c ts A n alys is
F ailu res /b illion h o u rs
E ffec t
R 1 - 10K
s h ort
T h r e s h old s hift
1 S afe
0 .13
0 .1 2 5
op en
op e n c irc u it
1 S afe
0 .5
0 .5
1 loos e in p u t p uls e
0 .5
s h ort
s h ort in p u t
1 S afe
0 .13
0 .1 2 5
0.12 5
op en
T h r e s h old s hift
1 S afe
0 .5
0 .5
s h ort
overvoltag e
1 S afe
op en
op e n c irc u it
1 S afe
s h ort
overvoltag e
1 S afe
op en
op e n c irc u it
1 S afe
led d im
n o lig h t
1 S afe
28
28
1 C o m p . m is m atc h
28
tran. s h o r t
read log ic 1
0 D an g .
10
10
10
tran. op e n
read log ic 0
1 S afe
led d im
n o lig h t
1 S afe
28
28
28
tran. s h o r t
read log ic 1
0 D an g .
10
10
10
tran. op e n
read log ic 0
1 S afe
s h ort
loos e filter
1 S afe
0 .13
0 .1 2 5
op en
in p u t float h igh
0 D an g .
0 .5
0 .5
0 .5
s h ort
read log ic 0
1 S afe
0 .13
0 .1 2 5
0.12 5
op en
read log ic 1
0 D an g .
0 .5
s h ort
loos e filter
1 S afe
op en
in p u t float h igh
0 D an g .
s h ort
read log ic 0
1 S afe
op en
read log ic 1
0 D an g .
s h ort
read log ic 0
1 S afe
op en
loos e filter
s h ort
op en
D1
D2
OC1
OC2
R 3 - 100K
R 4 - 10K
R 5 - 100K
R 6 - 10K
C1
C2
F IT
S afe
D a n g . D et.
D iagn o s tic
D an g erous
M od e
R 2 - 100K
C ritic ality
S afe
C om p on e n t
C overed C
F overed
IT
0 .5
0 .5
0 .13
0 .1 2 5
0 .5
0 .5
0 .5
0 .13
0 .1 2 5
0.12 5
0 .5
0 .5
0 .5
1 S afe
0 .5
0 .5
read log ic 0
1 S afe
loos e filter
1 S afe
0 .5
0 .5
111
8 8.75
22
T otal
S afe
D ang.
S afe C overag e
8 6.87 5
22
0 .9 7 8 9
F ailu re R ates
D a n gerou s
C overage
70
What is?
Safe Failure Fraction: A measurement of the likelihood of
getting a dangerous failure that is NOT detected by
automatic self diagnositcs
NOTE: Definitions refer to single channel architectures.

71
IEC 61508 Safe Failure Fraction (SFF)
SD + SU + DD
SFF =
SD + SU + DD + DU
=1-
DU
Total
72
SIF Design
1.
2.
3.

73
Architectural Constraints
As technology advances
it is becoming easier to
achieve the required
PFDavg.
However, PFDavg is not
the only safety metric
that needs to be
satisfied.
Architectural constraints
also need to be satisfied.
Architectural constraints
look at the Hardware
Fault Tolerance (HFT)
and the Safe Failure
Fraction (SFF) of each
subsystem to determine
if the SIL has been met
SD + SU + DD
SFF =
SD + SU + DD + DU
IEC 61508 Table 2

Type A
Safe Failure
Fraction
Hardware Fault
Tolerance
0
< 60%
SIL 1
SIL 2
SIL 3
60% < 90%
SIL 2
SIL 3
SIL 4
90% < 99%
SIL 3
SIL 4
SIL 4
> 99%
SIL 3
SIL 4
SIL 4
IEC 61508 Table 3

Type B
Safe Failure
Fraction
Hardware Fault
Tolerance
0
< 60%
NA
SIL 1
SIL 2
60% < 90%
SIL 1
SIL 2
SIL 3
90% < 99%
SIL 2
SIL 3
SIL 4
> 99%
SIL 3
SIL 4
SIL 4
74
Example FMEDA 3051S
75
Example 3051S
Hardware Fault Tolerance: The quantity of failures that can
be tolerated while maintaining the safety function
Architecture
1oo1
1oo1D
1oo2
2oo2
2oo3
2oo2D
1oo2D
1oo3
Hardware
Fault
Tolerance
0
0
1
0
1
0
1
2
76
RANDOM
Failures
SYSTEMATIC
Failures
Probabilistic
Performance Based
Design
HOW?
77
RANDOM
Failures
SYSTEMATIC
Failures
Probabilistic
Performance Based
Design
Detailed Engineering
Process
78
SIF Design
1.
2.
3.

79
Question?
Is Redundancy sufficient protection against SYSTEMATIC
FAILURES?
REDUNDANCY IS NOT A PROTECTION AGAINST
SYSTEMATIC FAILURES!
A single systematic fault can cause failure in multiple
channels of an identical redundant system.
example: A command was sent into a redundant DCS. The command
caused a controller to lock up trying to interpret the command. The
diagnostics detected the failure and forced switchover to a
redundant unit. The command was sent to the redundant unit which
promptly locked up as well.
80
Equipment Capability
PFD:
In order to combat Systematic Failures, IEC

61511 requires equipment used in safety
systems to meet one of two requirements:
IEC 61508 certification
Probability of Failure on Demand
Architectural Constraints
Equipment Capability
Certified under IEC61508 to the appropriate SIL level
Prior Use
justification based on Proven in Use criteria
81
Prior Use
Prior use generally means:
Documented, successful experience (no dangerous failures)
A particular version of a particular instrument
Similar conditions of use
Functionality/Application
Environment
We do not have the failure data!

I do not want to take responsibility for equipment justification!
We do not take the time to record all instrument failures!
This is a new instrument!
I cannot justify PRIOR USE!
82
Product Certification
Functional safety certification for devices is accomplished
per IEC 61508
Products are certified to a Safety Integrity Level (SIL)
The result is typically a certificate and a certification report
SIL Certification
Vendor showed
sufficient protection
against Random and
Systematic Failures
83
Pressure for Certification

End User Demand
Offers easier specification
More consistency through
project teams
Allows use of new technology
Quickly becomes Best Practice
Process Industry
Mature market in Logic Solvers
and Traditional Sensors
New Market in New Technologies,
Sensors and Final Elements
Vendor Demand
In mature markets, may be cost of entry (i.e. Logic Solvers)
Establishes credibility in Safety Market
Allows introduction of Technology with Credibility
In new markets, may provide significant differentiation,
limit competition and create higher margins
84
Market Support
The exida web site also has a list of process industry instrumentation equipment with IEC
61508 certification. With several thousand unique visitors per month, this list has become
the most popular global purchase qualification list for many buyers.
85
IEC 61508 PLC

Certification
e ida
e ida
86
IEC 61508 Level

Transmitter
Certification
87
IEC 61508 Solenoid

Valve Certification
88
Market Support / Data
For every equipment type, exSILentia has a list of equipment

showing certification status and all relevant data. Equipment
on this list enjoys strong market exposure. exida customers
are included in the list.
89
Example
1. SILPFD: SIL2
2. SILAC : SIL1
3. SILCAP: SIL3
The SIL level for this
Safety Instrumented
Function (SIF) is:
???
90
Example
1. SILPFD: SIL2
2. SILAC : SIL1
3. SILCAP: SIL3
The SIL level for this
Safety Instrumented
Function (SIF) is:
SIL1
91
Select Technology
Sensor Sub-System
Logic Solver Sub-System
Final Element Sub-System
Objective
Choose the right equipment for the purpose. All criteria used for
process control still applies.
Tasks
Choose equipment - IEC 61508 certification or Prior Use
Justification (IEC-61511)
Obtain reliability and safety data for the equipment
Obtain Safety Manual for any safety certified equipment
92
Fault Propagation Models

Fault Tree
Analysis
Markov
Analysis
D
U
Event Tree
Analysis
Block Diagram
93
Simplified Equations
PFDavg
STR
2oo2
DU x TI
2
( DU )2 x TI 2
3
( DU )2 x TI 2
3
DU x TI
( S)2 x MTTR
2oo3
( DU) 2 x TI 2
6( S) 2 x MTTR
Voting
1oo1
1oo2
1oo2D
2 S
( S)2 x MTTR
Where:
PFDavg = Probability of Failure on Demand (average)
SFR = Spurious Failure Rate
MTTR = Mean Time To Repair
TI = Test Interval
S = Safe Detected Failures
DU = Dangerous Undetected Failures
94
Conceptual Design/SIL Verification using

SILver
SILver is Safety Integrity Level verification according to IEC
61508 / IEC 61511
SILver calculates SIF performance parameters
PFDavg (Average Probability of Failure on Demand)
MTTFS (Mean Time To Fail Spurious)
SIL
(Safety Integrity Level based on PFDAVG)
SIL
(Safety Integrity Level based on Architectural
Constraints IEC 61508-2 table 2 & 3)
RRF
(Risk Reduction Factor)
95
SIL Verification using SILver

Third Party assessment of
development process
IEC 61508 compliant
No user justification
required for SIL
verification up to SIL 3
96
SIL Verification Demo
97
Management and
Planning
Analysis Phase
Realization Phase
98
Management and
Planning
Analysis Phase
Realization Phase
99
What is?
Proof Testing: A manually initiated test designed to detect
failure of any part of a SIF.
Different proof test procedures can have different levels of
effectiveness.
No practical proof
test will detect all
failures
100
Mission Time
Typical simplified equations assume perfect repair
DU TI
PFDavg
2
However repair is typically not perfect
Lifetime / mission time needs to be considered
DU
CPTI
PFDavg
2
TI
1 CPTI
DU
MT
101
PFD / PFDavg for Two Pressure Transmitter Proof Tests
PFDavg PTC = 65% = 1.53E-02

PFDavg PTC = 98% = 3.37E-03
10
11
12
13
14
15
102
Spurious Trip
A spurious trip is a shutdown (taking
the process to a safe state) that occurs
when it is not needed (no demand).
Two areas of Concern:
Shutdown and Startup can be most dangerous times
Operations likes to run
STR Spurious Trip Rate = 1/MTTFS
MTTFS - Mean Time To Failure Spurious, SAFE failure
MTTFD - Mean Time To Dangerous Failure
103
Management and
Planning
Analysis Phase
Realization Phase
104
Industrial Control Systems Cybersecurity
REGULATIONS, STANDARDS AND

BEST PRACTICES
105
Recent Events
Shamoon virus takes out
30,000 computers at Saudi
Aramco
US Defense Secretary issues
strong warning of cyber
attacks on US critical
infrastructure
DHS issues alerts about
coordinated attacks on gas
pipeline
operators
106
Control System Cyber Security

Control systems operate industrial plant equipment
and critical processes
Tampering with these systems can lead to:
Death, Injury, Sickness

Environmental releases
Equipment Damage
Production loss / service interruption
Off-spec / Dangerous product
Loss of Trade Secrets
Control system security is about preventing intentional

or unintentional Interference with the proper
operation of plant
107
Control Systems are more vulnerable

today than ever before
Now use commercial technology
Highly connected
Offer remote access
Technical information is publically available
Hackers are now targeting control systems
108
Hacker
Actual Incident Data
Disgruntled
employee
Network device,
software
IT Dept,
Technician
Malware
(virus, worm, trojan)
2011 Security Incidents Organization

109
Regulations
Department of Homeland Security
6 CFR part 27: Chemical Facility Anti-Terrorism
Standards (CFATS)
National Cyber Security Division
Control Systems Security Program (CSSP)
Department of Energy
Federal Energy Regulatory Commission (FERC)
18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)
Nuclear Regulatory Commission

10 CFR 73.54 Cyber Security Rule (2009)
RG 5.71
110
Standards
International Society for Automation (ISA)
ISA 62443 Industrial Automation and Control System (IACS)
Security (was ISA 99)
International Electrotechnical Commission (IEC)

IEC 62443 series of standards (equivalent to ISA 99)
National Institute for Standards and Technology

(NIST)
SP800-82 Guide to Industrial Control Systems (ICS) Security
111
ISA / IEC 62443 Structure
112
The ICS Cybersecurity Lifecycle
113
Key Principles for Securing ICS

Step 1 Assess Existing Systems
Step 2 Document Policies & Procedures
Step 3 Train Personnel & Contractors
Step 4 Segment the Control System Network
Step 5 Control Access to the System
Step 6 Harden the Components of the System
Step 7 Monitor & Maintain System Security
114
exida Functional Integrity Certification
Functional Integrity Certification

Functional Safety Certification
+
Functional Security Certification
Integrity is doing the right thing,
even if nobody is watching.
(Anonymous)
115
Who are exida and what we do
129
exida History
Founded in 1999 by experts from Manufacturers, End Users,
Engineering Companies and TV Product Services
Independent provider of Tools, Services and Training
supporting Customers with Compliance and Certification to
any Standards for Functional Safety, Cyber Security and Alarm
Management
Rainer Faller
Dr. William Goble
Former Head of TV Product Services

Chairman German IEC 61508
Global Intervener ISO 26262 / IEC 61508
Author of several Safety Books
Author of IEC 61508 parts
Former Director Moore Products Co.

Developed FMEDA Technique (PhD)
Author of several Safety Books
Author of several Reliability Books
130
What we do
EXPERTISE
Functional
Safety
SCOPE
Tools
INDUSTRIES
CUSTOMERS
Process
End Users
Alarm
Training
Management
Energy
Manufacturer
Cyber
Security
Consultancy
Machine
Engineering
Reliability
Certification
Automotive
Integrators
131
exida Customers (extract from 2000+)
132
exida Services and Training Process Industry

Functional Safety Management Set-up
Functional Safety Assessment
PHA
SIL Determination
SRS Development
SIL Verification
Alarm Philosophy Rationalization
Cyber Security Assessments
Training Programs
133
exida Tools Process Industry
134
exida Industry Contributions

Global Functional Safety Certification Consultant
3rd Party Accredited Certification Body
Developer FMEDA Technique
Mechanical Failure Database
Electrical & Electronic Failure Database
Instrument & Equipment Failure Database
Development Field Failure Database Methodology
Global Active Participation in IEC ISO Workgroups
Functional Safety Engineering Tools
135
Why exida Certification?

Experience exida has done more certification projects in the process
industries for currently marketed products than any other certification

company.
Excellence / Competency - We have staff with a cumulative experience of
several hundred years in automation functional safety and dependability.
exida is active in the 61508 (functional safety) and ISA 99 (security)
committee and has developed many of the functional safety analysis
techniques.
Market Support / Data exida supports the end user with analysis and data.
That data goes into the exSILentia tool. exida provides training for field
personnel.
Broad Capabilities exida can offer functional safety, security and Integrity
Certification
136
exida Library
exida publishes analysis
techniques for functional
safety
exida authors ISA best
sellers for automation
safety and reliability
exida authors
industry data
handbook on
equipment failure
data
www.exida.com
137
Questions and Discussion
138

Applying The Process Safety Standards

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Applying The Process Safety Standards

Uploaded by

Copyright:

Available Formats

Applying the Process Safety Standards

Steve Burke, CFSE

+65 6222 5160

+1 403 475 1943

Standards to help with design a Safety Instrumented System (SIS)

Who are exida and what we do

Copyright exida Asia Pacific 2014

Why do we need a Process Safety Standard?

Copyright exida Asia Pacific 2014

Because bad things do happen

Dioxin cloud over local town

Piper Alpha 1988

2,500 Dead, >100,000 Injured

165 Dead, 61 Injured

Copyright exida Asia Pacific 2014

Firefighters fight flames at the BP plant in Texas City after

Primary Cause of Failures?

The majority of accidents are:

Copyright exida Asia Pacific 2014

Findings of the Lord Cullen Report

Copyright exida Asia Pacific 2014

Copyright exida Asia Pacific 2014

DIN VDE 0801

Copyright exida Asia Pacific 2014

Device Manufacturers - Sector Specific Not Available

Copyright exida Asia Pacific 2014

Device Manufacturers - Sector Specific Not Available

Copyright exida Asia Pacific 2014

Device Manufacturers - Sector Specific Not Available

End Users - Systems Integrators

Copyright exida Asia Pacific 2014

Device Manufacturers - Sector Specific Not Available

End Users - Systems Integrators

Copyright exida Asia Pacific 2014

Relationship IEC 61508 IEC 61511

Manufacturers and Suppliers of

Copyright exida Asia Pacific 2014

Safety Instrumented System

Functional or Performance Standard

Effective Date: May 25, 2000

NOTICE TO LESSEES AND OPERATORS OF FEDERAL OIL, GAS, AND SULPHUR

Copyright 2013 exida

Copyright exida Asia Pacific 2014

Functional or Performance Standard

7.1.1 Requirements (guidance to IEC 61511-1 only)

(Demand mode of operation)

Copyright exida Asia Pacific 2014

The IEC 61511 Safety Lifecycle

Copyright exida Asia Pacific 2014

The IEC 61511 Safety Lifecycle

Operate and Maintain

Copyright exida Asia Pacific 2014

The IEC 61511 Safety Lifecycle

Copyright exida Asia Pacific 2014

FSM Key Issues

Specify management and technical activities during the Safety

Roles and Responsibilities

Must be clearly delineated and communicated

Each phase of SLC and its associated activities

The organizational complexity of

Critical in large projects / Disjointed Supply Chains

Defined in Roles and Responsibility

Documented Processes, Documentation Control, Documentation